New Credit Card, Same Old Problem

Banks and retailers in the United States are about to undertake a $30 billion-plus upgrade of the way they process credit card and debit card transactions. The current, outdated magnetic stripe technology will eventually be replaced by smart cards with computer chips embedded within them. With the new cards, you will “dip” them into new card reading machines, instead of swiping them as before.

However, this changeover is not going to be immediate, as banks and retailers are not quick to embrace it, mostly for financial reasons, ironically enough. Even more, critics argue that the new system will not go far enough in preventing credit card fraud in the U.S., and warn that we can expect more of the same when it comes to mass retailer hackings that compromise our financial data and identities.

How Credit Cards Work Now

The U.S. may be the financial capital of the world, but it is still largely using technology that was developed in the 1960’s to process credit card transactions. As a result, our financial data is highly vulnerable to hack attacks and outright thieves.
With most credit cards, when you swipe it to make a purchase, the merchant computer sees everything embedded in the magnetic stripe in plain text, including your name, credit card issuer, card number, card expiration date and other data linked to the card. All a computer hacker (or store employee) has to do is capture that data before the computer encrypts it. With that data, a thief can use the card for online transactions, or to make counterfeit cards by encoding another credit card’s magnetic stripe with your card’s information.

The U.S. Trails the World

Over the past few years, over 80 countries have upgraded their systems to use credit cards that contain microchips, instead of magnetic stripes. These cards are extremely hard to counterfeit, as hackers not only need your information, but they also need an actual microchip as well. In addition, the European system has a feature that the U.S. system does not: At the time of purchase, a personal identification number (PIN) must be entered to validate the transaction.
European banks have seen dramatic decreases in credit card fraud as a result. England reported a 34% reduction in fraud in the six years following implementation of this system by their banks and merchants, while France experienced a similar 35% reduction of credit card fraud. Unfortunately, this so-called “chip-and-PIN” system is not destined to hit America, even with the new multi-billion dollar system upgrade.

It’s a Matter of Money

So, why are U.S. issuers and merchants dragging their feet? Well, it comes down to a wide array of costs both groups are facing. First, microchip cards cost between $1 and $2 per card to produce, while magnetic stripe cards only cost less than a quarter, so issuers are looking at an almost ten-fold increase in the cost of producing their cards. The total cost to issuers is estimated at $8 billion or more.

In addition, retailers face upgrade costs that will total at least $25 billion, if not more, as they replace their magnetic stripe readers with machines that can read the new microchips. While the costs are steep, banks are forcing the retailers to make this happen, and quickly.

As it stands now, credit card related fraud expenses are picked up by the issuing banks, not the retailers. However, by October 2015, retailers will be required to have the new card readers in place, or else they will be financially liable to cover all future fraud-related expenses.

For some retailers, the new machines won’t be worth the expense. The total cost of each new machine, plus installation, can run between $500 and $1,000. An upgrade of all its points of purchase could be a real financial blow to a small business. Larger businesses may need to spend upwards of $25,000 or more per store for the upgrade. That is close to the cost of two full-time, minimum wage workers. That may be two workers that don’t get hired this year as a result.
Some larger companies are quick to embrace the technology, and rightly so. Target is expected to spend over $100 million to upgrade its stores and Red Card credit card to the microchip technology. That is not a surprise, since its customer database was the victim of one of the more notorious data breaches in recent history, one that affected 110 million customers. This is a good PR (public relations) move by Target, for sure.

This Does Not Go Far Enough

Though microchip cards are emerging as the norm, and thieves will have a tough time creating an actual fraudulent card, the fact that U.S. issuers will still only require signature authorization at the time of purchase (let’s call it “chip-and-signature”), instead of entry of a PIN, still keeps the door open to system abuse.

Anyone can sign for a transaction, critics argue. That is why they say a PIN requirement would add another layer of security and protection for the true card holder. And cyber-thieves can still hack a store’s computer system to scrape the memory of payment terminals in order obtain credit card data for all sorts of nefarious activities that don’t require a PIN, including using the information for spoofing.

Why Not Chip-and-PIN?

In a classic “he-said, she-said” disagreement, banks and retailers are at odds about the true intent behind the reluctance of adopting PIN authorized transactions. Banks argue that, while they are ready to make the change to microchip cards, they are not ready for a PIN authorization system right away, because that would take several computer upgrades. Retailers say this is just a stall tactic for banks to keep socking them with higher transaction costs.

As it is, retailers pay larger fees to banks when a customer signs for a transaction, while the same transaction fee would be much less if a PIN was used, as is the case when you use a debit card, which requires PIN entry. This is why many retailers encourage the use of debit cards over credit cards, or may refuse credit cards altogether. The processing fee a merchant pays to the credit card issuer can be 2% or more of the value of a credit card transaction, versus only about a half of a percent for a debit card transaction.

In answering the banks’ position, Mallory Duncan, the nation’s leading retail lobbyist in Washington, did not buy their argument.

“They (the banks) made the (October 2015) deadlines!” he said. “…They’d rather have fraud-prone signatures, because it potentially makes them more money than a secure PIN.”
Mr. Duncan may have it right. The fact is, card issuers earned about $41.2 billion from credit card swipe fees in 2014, according to advisory firm Sonecon. Meanwhile, they lost just $5.33 billion to fraud, according to the Nilson Report. Obviously, issuers don’ t have much incentive to move away from signature authorization, because though they would eliminate $5 billion in fraud expenses, the total swipe fee income from PIN-authorized transactions would be much , much less, resulting in much less swipe fee income hitting their bottom lines.

Another reason banks may be stalling is the fact that they really want to move away from traditional plastic cards (both with magnetic stripes or microchips) that use “static numbers” (numbers that don’t change) altogether. They feel a more effective fraud prevention solution would be to adopt the use of single-use “token” numbers that change every time you make a transaction, just like the ones that are used by Apple Pay and Samsung Pay.

It’s Under Way Already

For all the feet-dragging by issuers and merchants, things are moving ahead. Trade groups that support Chip-and-PIN technology hope that U.S. Banks and retailers make it the standard practice over the next few years. Javelin Strategy & Research estimates that about 23% of credit and debit cards will be replaced with the new microchip cards by the end of 2015.

Chase and Citi had already offered the chip-and-PIN cards in the past, but mostly only to consumers who travel internationally. Now Chase is expected replace close to 90% of its 50 million cards by the end of 2015, while Bank of America expects to have at least 50% of their cards by year-end. Other banks expect to replace their cards as the old, magnetic stripe cards expire, which means many cards won’t be replaced for another year or two, at least. Will retailers be ready? And, will banks break down and allow chip-and-PIN to be adopted? Stay tuned.